chore: don't pin slsa-github-generator digest

See https://github.com/slsa-framework/slsa-github-generator/blob/main/RENOVATE.md
miracum · Nov 2, 2022 · 68c270d · 68c270d
1 parent 184b532
commit 68c270d
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -48,7 +48,7 @@ jobs:
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
     # can't be referenced by digest. See <https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance>
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@bdd89e60dc5387d8f819bebc702987956bcd4913 # tag=v1.2.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1
     with:
       base64-subjects: "${{ needs.prepare-artifacts.outputs.hashes }}"
 

diff --git a/.renovaterc.json b/.renovaterc.json
@@ -22,6 +22,11 @@
     {
       "matchPackagePatterns": ["^ghcr\\.io\\/miracum\\/recruit"],
       "extends": ["schedule:daily"]
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "matchPackageNames": ["slsa-framework/slsa-github-generator"],
+      "pinDigests": false
     }
   ]
 }